2
10th ICCC, 2009Policies vs Threats2 Contents Security Problem Definition Security Problem Definition –Assets –Assumptions –Threats –Policies SPD through the use of Threats SPD through the use of Threats SPD through the use of Policies SPD through the use of Policies Examples of SPD to compare Examples of SPD to compare What happens to attacks and Threats What happens to attacks and Threats Effect of using Policies Effect of using Policies

4
10th ICCC, 2009Policies vs Threats4 Assets “assets - entities that the owner of the TOE presumably places value upon.” “assets - entities that the owner of the TOE presumably places value upon.” Asset is an object that a customer places into our hands for safekeeping Asset is an object that a customer places into our hands for safekeeping (yes, we also have our own secrets to keep) (yes, we also have our own secrets to keep) The security functionality of a product is usually mainly concerned with the operations on assets The security functionality of a product is usually mainly concerned with the operations on assets

5
10th ICCC, 2009Policies vs Threats5 Assumptions Assumptions are made on the operational environment in order to be able to provide security functionality Assumptions are made on the operational environment in order to be able to provide security functionality Assumption = Limitation of the scope Assumption = Limitation of the scope Assumption = Risk Assumption = Risk –Once an assumption does not hold, there is no guarantee that the product operates in a secure manner Always a trade-off between cost and risk Always a trade-off between cost and risk Fewer assumptions = Lower risk Fewer assumptions = Lower risk

6
10th ICCC, 2009Policies vs Threats6 Threats A threat is an adverse action performed by a threat agent on an asset A threat is an adverse action performed by a threat agent on an asset Threats are always evolving as new attacks are discovered Threats are always evolving as new attacks are discovered The list of threats is outdated as soon as it is published The list of threats is outdated as soon as it is published The solution applied by the schemes: The solution applied by the schemes: –ST specifies the threats that are very specific to the product –The lab applies automatically all the ‘usual’ threats relevant to the category of the product

7
10th ICCC, 2009Policies vs Threats7 SPD through Threats Ideally: specific threats against the specific product Ideally: specific threats against the specific product Really: a disguise for the list of known attacks Really: a disguise for the list of known attacks Result: immediately outdated at completion Result: immediately outdated at completion More: does not fit into the design flow More: does not fit into the design flow Side effect: ST grows with every new attack and every new customer who has a peculiar threat Side effect: ST grows with every new attack and every new customer who has a peculiar threat

9
10th ICCC, 2009Policies vs Threats9 Using security policies A positive forward statement of the product’s security capabilities, purpose and strengths A positive forward statement of the product’s security capabilities, purpose and strengths Describe the functionality instead of the attacks Describe the functionality instead of the attacks Describe the security functionality relevant to the customer, not for self-defence Describe the security functionality relevant to the customer, not for self-defence Directly translate into positive Security Objectives Directly translate into positive Security Objectives

10
10th ICCC, 2009Policies vs Threats10 Example : Assumptions/Threats A.Process-Card – Dedicated security procedures are assumed to be established for the delivery of the TOE between the parties and for the protection of the TOE outside of the control of the Developer before the final delivery to the User. A.Process-Card – Dedicated security procedures are assumed to be established for the delivery of the TOE between the parties and for the protection of the TOE outside of the control of the Developer before the final delivery to the User. A.Secure-Key - The cryptographic keys generated outside the TOE are assumed to be reliable, secret and adequately protected from disclosure. A.Secure-Key - The cryptographic keys generated outside the TOE are assumed to be reliable, secret and adequately protected from disclosure. T.Logical_Attack – Since the TOE allows for software download, an attacker may attempt to use this capability to mount an attack against the TOE. T.Logical_Attack – Since the TOE allows for software download, an attacker may attempt to use this capability to mount an attack against the TOE. T.Eavesdropping – The TOE and its communication channels may be monitored and an attacker may attempt to inject data to mount an attack against the TOE. T.Eavesdropping – The TOE and its communication channels may be monitored and an attacker may attempt to inject data to mount an attack against the TOE. T.Physical_Probing – The TOE may be subjected to an attempt of a physical modification to bypass the protection. T.Physical_Probing – The TOE may be subjected to an attempt of a physical modification to bypass the protection. P.Access_controls - The Administrator can configure an access control policy that links the access control mechanisms with the TOE assets. P.Access_controls - The Administrator can configure an access control policy that links the access control mechanisms with the TOE assets. P.Mode - The Administrator sets up the TOE and switches it to the Operational Mode before delivering to the User. P.Mode - The Administrator sets up the TOE and switches it to the Operational Mode before delivering to the User.

11
10th ICCC, 2009Policies vs Threats11 Example : Policies P.Confidentiality - The TOE must provide means to protect the confidentiality of the stored assets. P.Confidentiality - The TOE must provide means to protect the confidentiality of the stored assets. P.Integrity - The TOE must provide means to protect the integrity of the stored assets. P.Integrity - The TOE must provide means to protect the integrity of the stored assets. P.TransferSecret - The TOE must provide means to protect the confidentiality of assets during transfer to and from the outside of TOE. P.TransferSecret - The TOE must provide means to protect the confidentiality of assets during transfer to and from the outside of TOE. P.TransferIntegrity - The TOE must provide means to protect the integrity of assets during transfer to and from the outside of TOE. P.TransferIntegrity - The TOE must provide means to protect the integrity of assets during transfer to and from the outside of TOE. P.Configure - The TOE must provide means to configure the level of protection for each of the assets. P.Configure - The TOE must provide means to configure the level of protection for each of the assets. P.Keys - The keys generated for the use by TOE must be secure. The keys for the use by TOE must be generated and handled in a secure manner. P.Keys - The keys generated for the use by TOE must be secure. The keys for the use by TOE must be generated and handled in a secure manner.

12
10th ICCC, 2009Policies vs Threats12 Attacks and resulting Threats? The lab is responsible for checking that the: The lab is responsible for checking that the: –product operates in a useful manner –claimed functionality operates in the stated environment –product remains secure under the known attacks The lab verifies all these things regardless of whether you include them into the Security Target The lab verifies all these things regardless of whether you include them into the Security Target Best concentrate on the product, not on trying to do the job of the evaluation lab Best concentrate on the product, not on trying to do the job of the evaluation lab

13
10th ICCC, 2009Policies vs Threats13 Effect of using Policies Security Target explains what the product does instead of what it does not do. Security Target explains what the product does instead of what it does not do. Security Target focuses on the security functionality for the customer, not on the security functionality of self-protection. Security Target focuses on the security functionality for the customer, not on the security functionality of self-protection. Security Target becomes more streamlined and easier to write, understand and evaluate. Security Target becomes more streamlined and easier to write, understand and evaluate. This approach fits perfectly with the “top-down” security design. This approach fits perfectly with the “top-down” security design. Ultimately reduces the cost of both preparation and evaluation Ultimately reduces the cost of both preparation and evaluation